By Peter Quadagno, CEO and Co-Founder, Vality Corporation
Whether it’s CNP fraud, ATO fraud, false declines or chargebacks, there are many companies attempting to curtail fraud or whatever related factor compromises a payment authorization. Nearly all of them are using big data analytics, AI or the like, which distills their decision to authorize or decline down to probability theory. Probability theory means, by definition, that there is less than a 100 percent chance you are guessing correctly.
What if you could get to your choice without using probability theory? What if you could get to the right choice 100 percent of the time? Clearly, this cannot be achieved with what is available today.
Under current regulations, merchants are financially liable for fraud loss in nearly all CNP transactions (merchants’ liability shifts to issuers with the implementation 3DS, which many are reluctant to do).
There are still hundreds of billions of dollars wasted on fraud prevention, as current systems cannot detect all of it. Clearly there is a need for new thinking and new ways of combatting fraud—a technology that does not depend on data analytics.
The answer lies in using a scientific approach born of quantum randomness. That is, randomness generated by a quantum phenomenon is different than a random number generator table. Something that is truly random.
We believe the application of quantum randomness creates the type of surrogate (i.e., tokens) that can’t be reverse engineered, unlike the algorithms being used to encrypt data elements today that can be reverse engineered and will be subject to fraud that can’t be stopped once Quantum Computing attacks become the norm. Most stakeholders believe this will happen in the next five to 10 years.
In the card payment market, there are two areas of concern regarding fraudulent activities and hacking:
First, there’s the database breach that locks your data unless you pay a ransom. Cybersecurity firms are using software and a variety of applications and policy reviews to keep data safe from anyone who would hold it hostage. Such tactics as data backups, encrypting the data, ensuring adherence to all current security policies, eliminating passwords, using MFA and ensuring staff are trained on those policies are what firms use to block ransom takeovers.
Secondly, stopping CNP fraud, ATOs, false declines and false chargebacks means protecting the data elements themselves that are resident in the database and deemed valuable because they can be converted to either real money or cryptocurrencies that are then converted to a fiat currency.
Today, these data elements, namely card numbers or primary account numbers (PANs), are converted to tokens or surrogates using algebraic methods to obfuscate the true number or string of alphanumeric characters that represent the source of value. But what if we could display that string of characters and still keep it safe? What if we could show you the PAN but because of our ability to give it an identity or to fingerprint it, knowledge of what comprises the string no longer is relevant?
Using certain IP from multiple patents, a technology has been created that can put an identity on the data element we’re attempting to protect and that is owned by a consumer. This is analogous to converting the valuable data element into an offset, like we did for PINs that people selected in order to protect their debit card transactions. Even today, if you use a branded debit card to get cash, you must enter a PIN. And that PIN is unknown to anyone else, including the bank that issued you the card.
Using the PAN as the data element of value that we want to protect, and using a combination of unary and binary mathematics that include the use of quantum randomness, this technology places an identity on the PAN in the two places where it is stored—in the retailer’s mobile application on the consumer’s phone and in the database that releases the PAN prior to authorization.
When a transaction occurs, and before sending the authorization request to the issuing bank, retailers using this technology would create a fingerprinted PAN or what might be called PAN+. They would create two PAN+’s and place one of them on the consumer’s app and the other in their database that is used to send the auth request to the issuer.
PAN+ edit checks include a query to the consumers’ phone via the application and a comparison to the PAN+ in the release database. If the PAN+ in the database and phone are equal, the transaction is deemed fraudulent and is NOT sent to the issuing bank. Simultaneously, the application will ask the consumer if they were the ones to initiate the transaction in a binomial question. Yes/No?
The IP being used here is one that will not be affected by QC attacks once they begin. In the meantime, the implementation of PAN+ will shift the liability from merchants to banks. And when that happens, all banks issuing payment cards will need to implement similar technology.
The days of using algebraic algorithms to achieve encryption or obfuscate valuable data elements are numbered by the time it will take for Quantum Computing attacks to begin. Clearly, we have to be doing something different by the time that happens.