Visa’s Digital Future & AI Visions: What does it mean for you, for banks and for security?
Hello readers,
Visa has recently issued a press release recently on how they plan to “Reinvent… the card for the digital age” (https://usa.visa.com/about-visa/newsroom/press-releases.releaseId.20686.html). As a security researcher, this got the gears in my head spinning over whether or not these changes are press-release hyperbole, or if there are legitimate changes coming which need to be heeded by banks, consumers and other fintech adjacent businesses. Another question in my head was how this was going to be shaped, or already had been shaped, by PCI DSS 4.0. It turns out there are areas which need to be considered for many of the stated concepts Visa has put forth, including tokenization. You can read about these in an RSI Security article here: https://blog.rsisecurity.com/how-to-meet-tokenization-pci-dss-requirements/
For this blog post, I’m going to briefly cover my thoughts and brief research on the areas of consumer, banking and challengers to Visa’s vision of future service.
You:
Tap to pay and digital payment systems are so much huger in the rest of the world. For anyone who has traveled abroad or worked in a drive thru service has seen increasing transactions in tap to pay, both through physical card and by phone. It’s the fastest way to get to payment without fumbling through a physical wallet. Having these services available on your phone means that more flexibility and opportunity opens up for how you can control your credit, debit, and fund sources. For this reason, card control apps and actions will be more of a thing in Google Pay, Apple Wallet, Razer Pay, etc. Apple was going to lead this with the Apple Card but they may have been too soon to the game and fumbled the opportunity.
Tap to confirm will speculatively require tapping an NFC reader to confirm a purchase online. This means more interactivity between the phone and end payment systems. It also stresses the importance of good security. More on that later.
Banks:
The press release makes careful mention of A2A transactions in this new digital context. Transition to new and upcoming technologies should be like Zelle. While Visa doesn’t suggest there will be new services for this on the horizon, it’s reassuring to see how this system continues to evolve in the consumer fraud protection space.
Face or fingerprints being sent to Visa for their FIDO verification portal: This expands the use cases for FIDO and its 6 varying levels of Certified Authenticator Levels (https://fidoalliance.org/certification/authenticator-certification-levels/) within the context of consumer grade financial technologies. As consumer level identity will be processed around PII, rollouts being done for corporate backend environments may need to be soon implemented for the consumer space with heavy consideration for data privacy protections and regulations.
The article also makes note of use cases for AI in its tokenization section. Transaction tokens have been used for decades according to Visa, meaning their service. It suggests that tokens should be utilized by organizations along with insights from “Gen AI”. Generative AI services, as a rule of thumb, SHOULD NOT SEE, USE OR GET ACCESS TO THE TOKEN SYSTEM. These two systems are disparate as water and oil, and those who disagree need not look farther then research put into AI prompt generation exploits being researched by organizations such as Lakera (https://www.lakera.ai/). Using AI for consumer purchase information should ALWAYS BE SEPARATE FROM PII. Risks associated with connecting transaction history to AI may lead to consumer information breaches stemming from the use of prompt injection or other exploits of LLM AI systems. There will be dragons.
Competitors:
Visa Flexible Credentials may bring challenge to competitors like Revoult, Privacy and Curve for digital card number generation or card anonymization. The number going away is the biggest takeaway from this article, and organizations who pride themselves on creating randomized ‘private’ credit or debit card numbers may find themselves needing to observe the current system and make adjustments.
Also challenging Affirm and Paypal Credit is Visa’s “pay in part” system for payments of large transactions to be broken up into smaller segments to pay over a period of time. We will need to see how this develops over time.
This concludes a brief summary of my thoughts on Visa’s press release. It is good to be back to writing blogs for medium again. Thank you for reading and as always,
Stay Safe.