MasterCard: Risk is in the cards

Instead of a jargon-filled dissertation, MasterCard's new regional head of security, Tim Morris, gave a cheerful and low-tech answer when asked how he tackles security in his line of work.

"Consultation, consultation, consultation," said the burly Australian, who is four months into his tenure as MasterCard's Asia-Pacific vice president and regional head for security and risk management.

"It's like location, location, location in real estate," he said. "There's just no substitute for sitting down and talking to your client, because the better you understand them, the better your solutions will be."

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

Morris, a 20-year industry veteran who served as the chief of counterterrorism in the Australian Federal Police before he joined the credit card industry, now spends a huge chunk of his time coaxing MasterCard holders into adopting the counter-fraud measures developed by his 10-person team in Asia. Through that, he has learned how tough it can be to create a common security solution that satisfies each member's unique requirements.

"For me, that's the biggest challenge," he said.

So what else does he find challenging about managing people and security?

Q: What threats will e-commerce face in the next five years?
A: Global payment is certainly not immune from globalization. We've seen issues like identity theft really starting to become high-profile in the United States. For example, you look at "phishing" Web sites--they are really exploding around the world now.

The problem is this: Today's criminal doesn't have to be geographically co-located with the scene of the crime. He could be sitting in an office in Uzbekistan, and the victim could be in Singapore or Sydney. That's one of the challenges that law enforcement have to grapple with every day. There's no quick solution to that one.

We are certainly seeing a higher take-up rate of people who are comfortable using electronic commerce, which unfortunately also means that you have a rising pool of potential victims out there.

The solution to that is to educate the public; to make them more security-aware when using electronic commerce platforms.

But public education can never be foolproof, right?
That's where risk management comes in. You need to know where your greatest risks are and how to measure those risks. It's what MasterCard's site data protection program tackles. It does (a) security scan of Web sites to look for vulnerabilities. And it offers proactive monitoring and alert services.

With this program, what we are trying to say is: We want the merchants that use our system to be well safeguarded and have comprehensive security systems. We want the customers who deal with the merchants to be able to deal with them in confidence.

With non-face-to-face credit card transactions becoming more popular, a photo really doesn't help you.

Our other initiative, SecureCode, is another way which we impart a higher level of confidence to users when they are using the Internet.

I don't think we are ever going to produce a silver bullet that's going to be the answer for everybody's security concerns. Rather, it is a series of measures being implemented, with each one being more sophisticated and comprehensive. It's a matter of evolution.

Could the worsening situation of computer virus attacks derail e-commerce?
It could be (serious enough to directly impact e-commerce), but I don't think multinational companies like MasterCard are directly at risk. We have got pretty sophisticated safeguards to protect against them.

However, I think that the merchant who isn't as e-savvy, who is small and has limited resources to apply (relevant countermeasures), will be more vulnerable. That's why programs like our site data protection program are relevant.

As MasterCard rolls out new solutions, like the recent wireless PayPass and Web-based SecureCode, do you find that convenience and security are incompatible?
Not really. Of course, the easy way to make the most convenient system in the world is to ignore privacy and security. Likewise, making the most secure and private system in the world is not difficult, only that you wouldn't be able to use it anywhere.

So how do you deliver a system that does both? The answer is technology.

With the solutions that are out there today, it is a matter of sorting through them, testing them and making sure that we get the right one. In the end, I'm confident that everyone's needs will be met.

But with more people getting jumpy about security, do you see the balance tipped at some point, with credit card companies sacrificing convenience in order to bump up security?

My tip is: Invest in a paper shredder in the office.

Hard to say, if only because new technologies are constantly arriving on the market, and that means that the planners have to reassess what could be delivered in terms of payment cards. So because things are so dynamic, it is difficult to predict exactly what manifestation would happen next.

Which credit card security technology is hottest now?
Well, there is now a major commitment from major card payment players toward chip-based credit cards. This move is significant because we now have the issue of shifting liabilities.

Explain what you mean by shifting liabilities.
If an issuer has a chip-enabled card, and an acquirer does not have a chip-enabled terminal, then any charge-back liability will shift to the acquirer. Likewise, if the acquirer has a chip-enabled terminal, and an issuer has a non-chip card, then the liability will remain with the issuer. So (the aim) is to encourage the industry to embrace chip-based credit card platforms.

Or force the acquirer to get chip-enabled terminals?
Well, that's the choice that they have to make, but I would. But it is also a big investment for the issuer, so it is a collective effort.

What is the impact of all this on the consumer?
For the consumers, chip-enabled cards mean more security, because there's far more (security measures) that can be delivered with chip-enabled cards. And since consumers won't be impacted at all in terms of liabilities, they will be the big winners, because they now have a more secure payment product in their pocket.

On the subject of credit card security, why do you think photo identification credit cards aren't more popular today?
It's interesting, you know.

I think you would be amazed what some people would leave in their laptops. There's a lesson to be learned there.

Citibank in Australia has a photo ID card, and that's one of its main marketing strategies, but there hasn't been much take-up. Of course, it's up to the financial institutions that issue credit cards whether they want a photo on them or not, but for reasons known to them, it is something that they seem to deem unwarranted.

Why?
Well, I think that if you have a white piece of plastic, you could basically screen or print anything that you like on it, and that includes photos. So if you were the thief, you could print a photo just as easily as you would other data. It is possible to counterfeit the photo as well, just like passports can be counterfeited.

And with non-face-to-face credit card transactions becoming more popular, a photo really doesn't help you there.

Don't get me wrong. I'm not against photo ID credit cards, but once again, it is not the silver bullet that's going to solve your problems.

For someone who deals with security intimately, what advice would you offer information technology managers in Asia on your pet topic?
The latest craze in the United States is the (document) shredder. And sales of shredders have just gone through the roof there. This tip might sound basic, but it is not silly. Americans now are learning to take care of their confidential information. And this is very important, because out-of-sight isn't out-of-mind when it comes to data.

So my tip is: Invest in a paper shredder in the office.

What's your second tip?
Tip No. 2 would be to protect data on your laptop with proper policies and data protection techniques. Just before I left the Australian Federal Police (early this year), the Australian government did an audit of laptops in various Australian government departments, and I think they found out that 300 were missing. So the next question is: What's on those laptops? I think you would be amazed what some people would leave in their laptops. There's a lesson to be learned there.

One last tip?
Ask questions. Be inquisitive. IT managers need to (constantly ask) other business units about the impact caused by the measures that they are taking. I mean, it's getting complex now, and you really need to ask questions to find out. Unless you ask often, you won't really find out what the impact is.

And as you implement measures, it's also about making users downstream aware of the benefits of your measures. Make them aware that (these measures you are implementing) are going to have a positive impact on their bottom line--even though they may seem inconvenient and (return on investment) may not always look obvious.