Inside Visa's data fortress

Share

On the outskirts of Washington D.C., a short road turns off a main thoroughfare and leads up to a non-descript building that has been deliberately left out of Google Earth. A security guard mans a booth at the entrance, ensuring all visitors have received prior clearance and that their identification is in proper order.

Beyond the checkpoint, the road swerves sharply to the left. The hairpin turn has been designed to stop fleeing vehicles. There are hydraulic posts that pop up from the surface, capable of stopping a large truck going 110 kilometers per hour, should the need arise.

At the top of a small hill are two buildings. One is a cluster of administrative offices, the other can only be reached by crossing a bridge over what employees call "the moat." There are no crocodiles or even water in the moat, but rather a deep pit that separates the heart of all this secrecy and security from the rest of the world.

Inside, infrared motion detectors, fingerprint readers, hordes of cameras and "man-traps" – airlock-like chambers – prevent unauthorized individuals from gaining access. There are, I'm told, more people watching you than there are actually working in the building.

Welcome to Visa's Operations Center East, the newest of its high-tech, high-security data centres, where the financial secrets of millions of customers are stored and processed.

As the moat implies, the building is a veritable fortress. Spanning 35,000 square metres, the OCE is built for disaster. The 18-inch-thick concrete walls can withstand an earthquake of 7.0 magnitude and hurricane-force winds of up to 270 kph. The ceilings can even support 10 m of snow.

Should the complex ever lose power, it can sustain itself with 14 diesel generators that create enough electricity to run 25,000 homes. There's also a 5.6 million-litre tank of water on site, used to cool the thousands of servers at the core of the entire operation.

All in all, Visa planned for the worst when building the OCE, which opened in November, 2008. With the centre a key cog in overseeing the credit card company's 150 million daily transactions, it was best to assume that whatever could go wrong would indeed go wrong.

"We take the approach that Murphy was an optimist," quips Michael Dreyer who, as Visa's chief information officer, oversees the operation.

Our tour is the first time non-American journalists have been invited into Visa's core. The complex is one of the company's four network operations centres around the world – three are in the United States, with the fourth in Singapore. The OCE is a Tier 4 data centre, a designation reserved for those that pack the highest levels of importance and security.

Along with two South American reporters, I'm guided through the OCE's five pods. Like bulkheads on a ship, they're separated from each other so that problems in one don't affect the others. The pods have "system-on-system redundancy," which is techno-jargon for multiple fail-safe mechanisms.

During the busy Christmas buying season, the centre handles more than 11,000 transactions per second. Its systems are capable of processing up to 30,000 per second, and that's without the other two pods that are still under construction.

The long white hallways between pods are eerie in their immaculate cleanliness and lack of people. Overall, the OCE feels like something out of the X-Files – an antiseptic bunker where evidence of alien visitations is kept or killer viruses are secretly developed.

The nerve centre is the Network Operations Center, a cavernous room that looks more like something out of a NASA space launch. Huge video screens and global maps span the main wall in front of a horde of analysts, who also watch four monitors apiece at their workstations. All the screen real estate is devoted to watching transactions as they take place around the world.

It's clear that Visa has brought us here to impress the seriousness it places on customers' security. With online fraud growing seemingly exponentially, the quest for stronger safeguards on electronic commerce is becoming ever more vital. And with each subsequent breach making consumers a little more wary, credit card companies are feeling a pressing need to lift their veils of secrecy just a bit, in hopes of reassuring users.

The latest big breach happened in March, when Global Payments – a middle-man company that processes transactions for Visa, MasterCard and others – reported that at least 1.5 million card numbers had been exposed to criminals. Soon after, the processor said Visa had dropped it and wasn't sure when or if it would be reinstated.

At the centre of the issue is something called PCI DSS, or Payment Card Industry Data Security Standard, a rigid code of best practices adopted by companies dealing with credit card transactions. Visa was quick to point out that it wasn't its own systems that were compromised, but rather that of a middle man's.

Marco Bravo, Visa's senior business leader for payment system risk in Latin America and the Caribbean, says compliance with the code is an ongoing process – it's not something that's tested at given times. That makes it a tough standard for processors such as Global Payments and card issuers such as banks to adhere to.

"At the moment of their compromise, they weren't PCI compliant," he says. "There's a point in time where they are compliant, but if tomorrow they make a system change, that might affect their compliance and they can become vulnerable."

Lapses are dealt with on a case-by-case basis. If Visa isn't happy with one particular part of the chain, they'll cut it off and won't reinstate it until improvement can be shown. The credit card company's heft is usually enough to motivate prompt compliance.

Still, despite the rising tide of breaches, the credit card company insists the amount of money that people are actually losing through fraud is decreasing. In the early 1990s, before the rise of e-commerce, Visa lost 18 cents out of every $100. Fraud was much more primitive then, usually resulting from lost or stolen cards.

Today, with global criminal enterprises actively trying to steal customers' financial information, fraud is a much more sophisticated business. Yet despite that, Visa says its loss has declined to 5 cents for every $100.

It's a counter-intuitive development that, Mr. Bravo explains, is because of the commensurate improvement in security systems. Today's cards and payment systems are considerably more secure, so breaches don't necessarily translate into losses.

Part of the trick is advanced authentication, where every transaction is assessed a risk score. Depending on that score, different security measures kick in.

"If you go to McDonald's and do a transaction, [it has]a low risk score, so we will not authenticate you," he says. "But if you're buying a car or a flat panel TV and the transaction is scored as high risk, then you'll be prompted for additional authentication."

Those additional steps can be simple, such as the merchant asking the buyer for identification, but more likely the microchip on the credit card will be activated. The chip cards, which Canadian banks started rolling out in 2008, generate dynamic cryptograms. Unlike PIN numbers, which rarely change, the cryptograms morph every few minutes, which makes it hard to clone cards.

With cards getting harder to fake, criminals are shifting to e-commerce, or in Visa's parlance, "card-not-present" transactions. There too, new security measures are being added. Canada has been a quick adopter of the Verified by Visa feature, Mr. Bravo says, where buyers go through a secondary authentication procedure online. These methods are also preventing the rising tide of breaches from turning into losses, he says.

The future holds new challenges as payments shift to mobile phones. Not only are new techniques that identify devices and the users of those devices needed, Visa also faces the potential threat of being disintermediated in its own business. After all, what's to stop Apple from allowing iPhone owners to use their iTunes accounts as de facto credit cards?

Mr. Dreyer, the CIO, isn't too concerned about that, mainly because he doesn't see Visa as a credit card company – it's a technology company that specializes in financial transactions. Apple and other phone makers could handle mobile payments themselves, but he doesn't think they would want to.

"Doing payments at scale is complex. It's one thing to do a payment, it's another thing to do it at thousands and thousands of transactions per second and make sure that happens reliably, safely and secure all the time," he says. "Doing the chargeback disputes and so on, none of these are trivial tasks."

Mr. Bravo says the move to mobile is inevitable and it's happening quickly, but the complete elimination of plastic is not likely to happen "in my lifetime." But what about the humble signature?

"As an authentication technology, it's becoming obsolete."