LTP spoke with the CEO and Co-founder of fraud analytics firm, Rippleshot. With the upcoming transition to chip-and-PIN, data breaches and cybersecurity are hot topics.
I (Ruth) have the pleasure of speaking with Canh Tran. Thanks for taking the time to speak on this topic.
Canh: Thanks, Ruth. Glad to be here.
LTP: Can you give our readers a brief snapshot of your background in this space?
Canh: I have spent over 15 years working on cybersecurity and fraud, specifically in real-time credit card fraud detection.
LTP: How did Rippleshot come about as a company? What specific need did you see in the market that your company provides a service for?
Canh: We were working on real-time credit card fraud detection for the last 10 years or so, and what that means is every time you take a credit card and use it at a store, one of our systems will return a real-time score that will tell the credit card-issuing banks whether to accept the transaction or not.
So, depending on Ruth’s pattern, it might be a fraudulent transaction. So let’s decline it, or yes, that’s a normal transaction for Ruth, so let’s accept it. Those real-time systems work really well and that method is used by 100% of banks. What the banks have been seeing over the last five years is that over 50% of the fraud they are not catching is directly related to data breaches.
What that means, for example, is that if you’re walking down the street and somebody steals your credit card and transacts for $1000 at Macy’s, Citibank may revert that $1000, but that is the extent of it. If, say, Target is breached, then you’re talking 50 million cards that are at immediate risk, right? Our issuing clients come to us and say, “Hey, Canh, that’s great you can provide us with real-time fraud detection, but where you could really move the needle for us is if you can tell us ahead of time where a merchant has been compromised.” If we could let our clients know three-four months ahead of a breach before it is publicly known, then they could take the precautions to protect their cardholders.
We were able to back-test on billions of transactions to see if we could detect the ripples or the patterns that would indicate if a merchant has been breached. Once we were able to do that, the genesis of Rippleshot was formed.
LTP: Do merchants or card issuers know how drastic this type of security breach could affect the long-term consumer relationship with their cardholders and how big of a security breach this could pan out to be without detecting it sooner?
Canh: The reason a data breach has been such a pain point for the industry is because it affects not just the banks, but it also affects the merchants and the cardholders. There is a weakness in the payment system.
The technology that is able to breach the payment system has long surpassed the technology that created the payment system 20-30 years ago.
If banks are able to determine where the breaches are earlier, they can actually reduce 30-40% of their credit card fraud losses because they can replace the cards that are compromised before any fraud occurs.
LTP: That’s huge for banks. Can you tell us how the banks and merchants are contacting their cardholders and educating their customers to let them know, “Look, we’ve identified a breach and we are proactively making sure your account is secure and safe.”
How are banks and merchants communicating this without alarming users that they’ve been attacked without them even knowing?
Canh: You know, Ruth, that’s actually a really good question. It’s always a delicate balance for banks, merchants and the whole payments system because you don’t want to spook the cardholders or annoy them by replacing their cards too many times. If the cardholder doesn’t know what’s going on, they might think that it’s actually the bank’s fault.
Banks have to find a balance between mitigating fraud losses but at the same time not inconveniencing their cardholders. In short, banks deploy multiple types of strategies:
- Decision rules: For example, if you are outside certain regions and it is not in your pattern, the bank will decline.
- Alerts: Participating in your own fraud protection by having the bank call you and verify if a certain purchase is yours or not.
- Real-time declines: The consumer doesn’t even know and it’s painless for them.
LTP: That makes sense. Who is your ideal user for Rippleshot’s services?
Canh: Our service encompasses the whole payment system. Obviously, some of our ideal users are banks who were suffering large losses due to data breaches and they’re very happy that we can save them 30-40 % of fraud losses.
Merchants are also ideal users for us as we can save them from catastrophic breach events. Our detection catches threats early on before they become full-blown breaches and before merchants suffer massive losses.
Interestingly enough, we expect privacy issues for individuals to be a big trend in 2016 and 2017. A third target for us will be individual consumers that would get alerts on their mobile phones.
LTP: I certainly feel that a lot of credit card companies are taking that percussion. I’ve found that my credit card company texts me more often than I text my friends. I actually feel that the relationship is non-invasive and as a consumer, it’s reassuring to know that my credit card company is keeping an eye out on things.
With more people adapting to mobile wallets as their payment option, does that change the security process? For someone swiping a card versus using Apple Pay versus an in-store loyalty rewards card, does that change anything?
Canh: Fundamentally, it does not because we sit at the authorization level. From our perspective, we’re device agnostic. Whether it’s Google wallet, Apple Pay, or any of these newer payment systems, we will always see the credit card transaction. It doesn’t change the alert system in the relationship—there will be some issues in terms of how much information each system creates or changes but those are more technical questions that I think everybody in the industry is grappling with now.
LTP: I appreciate you touching on your last point and your prediction for 2016-2017. This concern is going to be a huge point of conversation as the October 2015 deadline for EMV in the US approaches. I’ve already received my chip-and-PIN replacement card from my credit card company. Card issuers have been using this time to educate and open up the dialogue to consumers about this security advancement.
Do you feel that the US should have done this a long time ago and implemented security payment technology sooner? Europe has already been using EMV for years; do you feel that the timing in the US is appropriate or are we behind?
Canh: That’s actually a really good question, and I think that’s a complicated answer. I would say the big difference between Europe and the United States is that there was a government mandate in Europe and that helps every country over there actually be able to adopt that singular standard. In the US, there’s no such government mandate, which is why it’s taking longer to adopt.
One could also argue that technology has surpassed EMV—maybe merchants and banks are questioning whether EMV is the answer going forward—but that’s for a longer conversation. The bottom line from a broad perspective is that we believe, along with all the credit card issuers that we speak with, that fraud is going to increase in the short run over the next two-three years.
LTP: Wow, Rippleshot appears to be making some groundbreaking strides in the data security and payments industry. If your predictions transpire, I’m sure we’ll have a lot to speak about in 2016 and 2017.
In the meantime, can you provide our readers with any exciting news from Rippleshot?
Canh: We have already shown that we can stop 40% of fraud losses for banks, and what we are seeing through our partners and our merchants is that we are offering a very cost effective way for them to protect themselves. Insurance companies like Lloyds of London are recognizing that this is a benefit to them, and they are offering price points that give them a discount for using our solutions. For the merchants that don’t have EMV and are not going to be compliant by the deadline, I think that’s really going to help come October and on through the holiday season.
LTP: LTP and our readers surely appreciate your time and insight on this topic. Cybersecurity innovation is a topic LTP plans on having close coverage on as the October deadline for EMV in the US is rapidly approaching.
About Canh Tran, CEO & Co-Founder, Rippleshot
Canh Tran is an entrepreneur with over 25 years of experience focused on big data and predictive analytics. Throughout his career, Canh has worked with large-scale data such as retail point-of-sale, payment transactions, credit, social and search information to solve sales, marketing, fraud and credit problems.
Canh holds an MBA from Northwestern’s Kellogg School of Management and a BS from the University of Maryland.
Rippleshot's fraud analytics allows card issuers, processors and merchants to proactively monitor suspicious activities and implement smarter fraud risk management strategies when data breaches occur. Rippleshot detects the ripples before the tsunami—the tiny anomalies that signal a looming data breach—and let you know earlier, so you can play a pivotal role in reducing fraud loss, improving cardholder security and reducing the severity of breaches.