What is the future of payment and how does the payment processing industry fight fraud for traditional banking, fintech startups, and beyond? Join Industry Analyst, Michael Krigsman, and Guest Co-Host, Dr. David A. Bray, as we explore this topic with a senior executive from ACI Worldwide.

Mike Braatz serves as ACI Worldwide’s chief marketing and solutions officer, maximizing value creation for ACI customers and shareholders through innovative marketing and solution strategies. Mr. Braatz oversees strategic marketing activities, solution portfolio and roadmap strategies, and the development and communication of ACI’s corporate strategy. Since joining ACI in 2012, Mr. Braatz has held a number of senior leadership positions.

Most recently, he served as senior vice president and P&L lead for ACI On Demand’s Software as a Service solutions. He previously served as senior vice president and product line manager for ACI On Demand and for ACI’s Payments Risk Management solution.

Dr. David A. Bray was named one of the top "24 Americans Who Are Changing the World" under 40 by Business Insider in 2016. He was also named a Young Global Leader by the World Economic Forum for 2016-2021. He also accepted a role of Co-Chair for an IEEE Committee focused on Artificial Intelligence, automated systems, and innovative policies globally for 2016-2017 and has been serving as a Visiting Executive In-Residence at Harvard University since 2015.

He has also been named a Marshall Memorial Fellow for 2017-2018 and will travel to Europe to discuss Trans-Atlantic issues of common concern including exponential technologies and the global future ahead. Since 2017, he serves as Executive Director for the People-Centered Internet coalition co-founded by Vint Cerf, focused on providing support and expertise for community-focused projects that measurably improve people's lives using the internet. He also provides strategy and advises start-ups espousing human-centric principles to technology-enabled decision making in complex environments.

Transcript

This transcript has been edited for clarity.

Mike Braatz: First and foremost, we're a software company, so we provide technology to the payments industry, the people who want to pay, whether it's a consumer in a store looking to buy something or online or a business looking to pay another business with the sources of those funds which are most of the time in bank accounts but, with some of the new payment methods, those funds can sit in other places. We basically allow that money to move from where it needs to be to where it needs to go. We serve all of the participants in the payments business so, whether you're a merchant, whether you're a bank, whether you're a processor, or whether you're a utility which we would call them a biller looking to help consumers pay their bills online, we serve all of those participants in the payments ecosystem.

Dr. David A. Bray: In addition to different hats that I wear, I'm with what's called the People-Centered Internet Coalition. I serve as Executive Director. Vint Cerf one of the co-creators of the Internet, plus Mei Lin Fung are our co-founders, and we seek to do demonstration projects that are community-led and measurably improve people's lives using the Internet.

What are the data sources and data volumes in the payments industry?

As a first question, could you tell us a little bit about what are those sources and what are the data volumes we're talking about here when you're trying to help with the transactions and make sense of what's occurring?

Mike Braatz: Yeah, when we talk about the payments industry, first of all, it should be noted that there are really, at the simplest level, two types of payments, right? There's a cash payment and then there's everything else, which we consider to be digital payments. Whether you're using a credit card, whether you're using Apple Pay or some other means of payment, the vast majority of those payments are digital payments, and that's a growing percentage of payments around the world.

To put some scale to it, in this year, in 2019, globally—let's just use round numbers—1.8 trillion electronic payment transactions will occur around the world. To put some scale to that, you divide that by the roughly 7.5 billion folks on earth. That is, for every person on earth, about 250 transactions a year. It's not quite one a day, but we're getting close, so it's big and it's growing quickly.

Payments are how commerce happens, right? No matter whether you're a consumer looking to buy a good or service, whether you're a business looking to pay for supplies, or whether you're just trying to pay your friends for the dinner out the other night, that's payments. It's happening all the time, every day, and the volumes are massive, so there's a lot of innovation.

There's a lot of innovation around security as well, which is, I know, one of the topics we're going to get into. The threats to the payment infrastructure are growing and so is the innovation around protecting that infrastructure, those systems, and that movement of money.

Even the cloud; the cloud has become a big source of innovation where you have participants in the ecosystem, whether it's a bank or a merchant who, in the past, wanted to operate their own payment systems for a variety of reasons, are saying, "You know what? No, we can let some other trusted third party run that for us in the cloud so that we can focus on what it is we do." I would say there's innovation happening all over.

How does the real-time payments industry decide if a transaction is fraudulent?

Dr. David A. Bray: Can you give us a sense? When you talk about the challenges with security, fraud protection, or things such as that, just how fast do you have to be to make a go/no-go decision on a transaction and what are some of the approaches you apply to the data that you can talk about that help inform whether something is suspicious, needs to be held up, or warrant further examination?

Mike Braatz: Yeah, well, one of the things I like to always start out when we have this kind of conversation is, the bad guys can try a lot and they only have to be right once to be successful. The good guys have to be right every time. Of course, no matter how hard we try, that's impossible.

You talked about the speed of the decisions. One of the things that's become really important in the modern payment system is the ability to do real-time threat detection and prevention.

In our world, that means for a credit card payment, just take your typical credit card payment with a consumer standing at the grocery store. They insert their card. We've got about 100 milliseconds to make that decision. The vast majority of those decisions are truly go- or no-go within that 100-millisecond window.

There's a small percentage of those transactions, and maybe you as consumers have experienced this, that do get deferred to manual review. We put a bit of a closer microscope on those. That may cause some issues and cause some friction, which we try to avoid, but it's fast. If you think about, you've got 100 milliseconds to do it and we're talking about billions of transactions daily that are happening, it's a massively scaled problem.

What skills do you need to build real-time, data science-based payment systems?

Mike Braatz: The old way of doing fraud prevention was heavily reliant on static rules, right? If this happens, then say no. If that doesn't happen, then let it go. Blacklists and whitelists were common kinds of forms of rules.

Given the scale and the speed, we're much more reliant on advanced analytics, whether that's machine learning, whether that's AI. In order to keep up, for those of us in the payments business who are the good guys, we have had to invest heavily in data science, professionals joining our ranks and helping beef up our fraud prevention systems. There are computer science skills that are very good at building the scale and the security we need to protect those systems. I would say there is definitely a war for that kind of talent out in the industry and these folks can be very hard to come by.

Dr. David A. Bray: The people can work just about anywhere as long as they have the skills and the talent necessary to provide their lens, and so it's good to hear Mike commenting about data science and machine learning as being something they're trying to incorporate. I guess I would just say, are there different parts of the world where you're looking for your talent or do you have thoughts about how you can bring on people of all ages that, if they have the skills, can help with your efforts?

Mike Braatz: Yeah, I would say, if you have the skills and the desire, we're open to it. We're not necessarily looking for it in specific regions. We have technology professionals around the globe. We have offices in 40 countries.

I think, if you look at other participants in the payments ecosystem, not just us, I would say it's probably similar. They're just looking for good talent. There's a shortage of that talent. I love your idea of training up other communities to help build that talent base. I think it would be a welcome thing not only in the payments industry but probably just in the technology industry as a whole.

How does the payments industry classify threats?

Mike Braatz: Yeah, I think I would put it in three categories. I think the first is probably what most people traditionally think of as cyber threats and that's really either attacks on and thefts of data or disruptions of the system itself so that the system can't operate the way it's supposed to. Those are traditional cyber threats. The second category is theft of goods or money, just outright fraud and payments fraud, whether you're stealing money or stealing goods using somebody else's credentials.

Then the third area that's also really important is anti-money laundering. The bad guys trying to hide the movement of money because it's either illegal or it's supposed to be reported to regulatory authorities and they want to fly under the radar. Those are really the three big categories that I think most participants in our industry are looking out for.

Dr. David A. Bray: To get ahead of the curve, with money laundering or fraud, are you seeing different uses of different currencies, fiat currencies, and is there anything you're doing to watch possibly what might be happening in the future with cryptocurrency since they could be used for fraud or money laundering just as well as real-world Fiat currencies? Is that something that you're thinking about on the horizon?

Mike Braatz: Yeah, for sure, and I think we've seen a rise. You mentioned money laundering as cryptocurrency and moving money around. Certainly, if you go back 15 years, there was a big push for anti-money laundering regulation and prevention. I think, as an industry, we've got it kind of under control.

In the last few years, some of it because of the rise of some of these new currencies and some of the rise of the new technologies that are in the hands of the bad guys. We've seen a resurgence in AML or anti-money laundering. That's absolutely on the horizon.

I would say the other thing we're seeing in the fraud world is, for those of us in the United States, we're just now getting used to the chip technology in our cards, right? That has provided a new and good level of protection for the use of cards. It's pushed a lot of the fraud online where the card isn't physically present.

A bad guy with stolen information can go onto a website and make a purchase. That type of online fraud, whether it's traditional e-commerce sites or even in mobile payments, is really on the rise and is something that I think the whole industry is reacting to. There is a lot of state-of-the-art happening to go after that online fraud.

Michael Krigsman: What about state-of-the-art among the criminals? What is their level of sophistication in terms of using automated methods and data such as machine learning and various types of AI techniques?

Mike Braatz: I would say their level of sophistication is very high. We talk a lot about being nimble and agile in the technology industry. They are extremely nimble and agile.

The other thing they've got that we're somewhat limited by on the payment side and on the good guy side is, they collaborate. They work together and they specialize. You've got guys who are really good at breaking into systems. You've got guys who are really good at stealing the data.

Then you've got guys who are really good at making use of that data. All of them are using automation. All of them are using AI. They're trying to mimic the behavior of good consumers so that they are less detected. All of that could be done with technology.

Frankly, it's pretty impressive how well they've embraced it and capitalized on it. That just raises the bar for those of us trying to protect the system.

Dr. David A. Bray: Are there any examples that you can maybe reference where something looked like it was benign or something looked like it was something that was being caused possibly by humans and then, upon deeper investigation, you discovered that this was something that was either more automated in nature or was something much more sophisticated in terms of either the criminals and/or possible nation-states doing something that, at the surface, looked like it was just normal human behavior?

Mike Braatz: Yeah, let me give it a shot. I think one of the things we've seen in the consumer arena that requires a fair bit of sophistication and it also requires some really unsophisticated last-mile behavior, which is, I think, an interesting combination.

One of the things that a lot of merchants and retailers have been offering in the new digital world is, you can buy something online and pick it up in the store. What the bad guys have figured out is that there is a time window that they have to act that has made it very difficult for the protection systems to kind of figure this out.

Basically, what they do is they sit in the parking lot of a Best Buy. They go online with stolen credentials. They make the purchase and basically say, "I'm going to pick it up in the next 15 minutes."

They immediately walk into the store, walk out with a big-screen TV, and they're off before the system can really realize that that wasn't the authorized cardholder. The upfront piece of that to get the information, to know what their time window is, to know what they need to do to mimic the good behavior is highly sophisticated. Walking in the store in the next 30 seconds and walking out with it is unsophisticated, but that's how they make off with their goods.

What’s happening with cyberattacks in 2019 and 2020?

Mike Braatz: Given the data breaches that are well-publicized these days, we're seeing bad guys develop techniques where maybe they've stolen—let's just make up a number—five million records. They have developed technology that allows them to very quickly cycle through those five million records and figure out which ones haven't already had the passwords changed or the account holder or the cardholder doesn't even know that the information has been breached.

They know which websites are vulnerable. They can quickly go to those websites and cycle through those five million in a matter of minutes. Like I said, they only have to be right once. They don't have to be right five million times. They get what they're after.

That level of sophistication to be able to cycle through that volume of data, quickly move on to the next one, and avoid some of the bot detection techniques that you see on websites is highly sophisticated. They know what types of devices to use to do this. They know the IP addresses and how to shift IP addresses very quickly, so it's a combinatorial sophistication of different techniques and high volume data.

Dr. David A. Bray: Mike, this is quite fascinating, what you're sharing. It is sort of akin to an arms race. I guess my question would be, if you look to the next five years in the future, three to five years, and you see that, obviously, these actors that are doing criminal activity will accelerate their activity and their efforts, what gives you hope that you can share on the good guys side that we'll be able to keep up if not find other ways to make sure we stay one ahead of the curve? It seems like you're guarding a 500-mile goalpost and all I have to do is kick it in one place. What gives you hope?

Mike Braatz: Our industry is innovating pretty quickly as well. I think we have figured out that there is no silver bullet, so you need to take a multilayered approach. Banks, processors, merchants, even, and other players in the ecosystem have figured out, "Hey, this is an important cost of doing business. It's not something I'm trying to avoid anymore," and that's not the same as it was.

The other thing that gives me hope is, consumers and businesses have decided they do want to be bothered when something bad is detected on their account. It used to be, "Hey, that's your problem. You protect me. You deal with it."

Now, we're bringing consumers into the loop and saying, "Hey, allow me to set limits. Allow me to get notifications, whether it's a text or an email, when something fishy is going on," or, "Text me a code before purchases are authorized on my behalf." That slight level of friction, which increases the level of protection, is something that consumers are embracing, so I think that gives me hope.

Then I would say, frankly, the government. We talked about state-sponsored bad guys but, on the good side, the government has woken up to this problem and I think they can be a partner to industry to help solve this problem. The payments infrastructure, the financial services infrastructure, it's a national asset that needs to be protected much like you'd protect an energy grid or something else. I think there's an important partnership there.

Dr. David A. Bray: It is recognizing that, like you said, the financial infrastructure is a critical infrastructure and it's vital. The other thing that I also love that you said is it's about not introducing a lot of friction, but a subtle amount of friction that, in our quest to have things become frictionless, we may discover that it slid off the rails. If there's a little bit of friction that asks for a one-time code or a notification that you've hit a limit and, "Is this really you?"

I love that you said that, Mike, because that really emphasizes how people can take ownership of this and not assign it to solely being the problem for someone else to solve, that we can all be a part of it in a people-centered solution.

Mike Braatz: People who have had their accounts hacked or taken over know what a hassle it is to get back up and running, get a new card issued, whatever the situation may be. I think part of it is to kind of learn by experience but, hey, I think we're in a much better place than we were five or ten years ago.

Michael Krigsman: Mike, you are providing the infrastructure and a variety of different capabilities to financial institutions.

Mike Braatz: Mm-hmm.

Michael Krigsman: The consumer, then, is ultimately dependent on the financial institutions to implement those features.

Mike Braatz: Yes.

Michael Krigsman: How does that balance work? You may provide the infrastructure but if my bank hasn't built the software or take advantage of it, I'm out of luck.

Mike Braatz: Yeah. No, that's true. That's true. I would say banks and merchants alike have responded. I think they view security as an opportunity to build a better relationship with their customers and potentially an opportunity to differentiate themselves from their competition in how good a job they do with it.

You're absolutely right. It is incumbent upon your bank, your favorite merchant, or your favorite e-commerce site to implement it. But I think we have moved past the days where they resisted that and they've embraced it. They're now trying to build out and fill little gaps.

I also think that they are viewing, especially in the merchant world and the retail consumer spending world, they have seen consumers want to have that trust, want to have that security that when I go to that website, my information is going to be protected. They're using that as an opportunity to build a closer relationship and have a higher level of consumer engagement using security.

How does fraud change in real-time payments rather than credit cards?

Mike Braatz: Yeah, it is a great question. Yeah, real-time payments are a big deal. Right now, today, they're a bigger deal in other countries than they are in the U.S., but it truly is coming to the U.S. I think the Fed's announcement that they're going to stand up their own network for real-time payments is going to push that along.

The thing about real-time payments is, just as the name implies, the money moves immediately. It settles and clears in real-time. Once it's gone, it's gone, unlike other payment methods, and that does include credit and debit cards and others. There is somewhat of a delay that allows us to take action and there is a chargeback process if something is determined to be fraud.

With real-time payments, it's gone and it's much more difficult, if not impossible, to get it back. That raises the bar on our ability to detect fraud in that 100-millisecond window because that's about all we're going to have.

The other thing is, these are truly different payment rails. In other words, it's not riding the same network that your credit card transactions are, and so these new networks have different configurations, different capabilities. To make fraud prevention work within that environment, we're going to have to use different techniques. It is going to create a new arm of the fraud prevention world as these new real-time payments come on.

Luckily, we do have some experience in other markets like the U.K., India, and Indonesia where real-time payments have really taken hold. We're getting our experience that we can then apply to countries in Europe and the U.S. when that comes on.

Dr. David A. Bray: Going further in that direction, Mike, do you find that, in those cases where you're doing real-time payments in other countries, you're having to collect additional information in terms of, possibly, is the person willing to share their location for that time period, that their phone is nearby, or does a one-time code? Are there other factors that you're having to assemble precisely because you have that smaller window and it's that critical go/no-go in a much more tight timeframe? Are you finding there are other factors of data you need to have?

Mike Braatz: Yeah, and the good news is that the new, real-time payment schemes have explicitly factored that in. Without getting too technical, it's a new data standard that allows for much more data to come along with the transaction.

That additional data, those additional data fields, if you will, allow us to do a much better job determining whether this is legitimate or illegitimate activity. That's helpful. They were smart when they designed those data standards that allow us to do that and so I would say the good news is that they built that into the system and now we can take advantage of it.

As far as we're concerned, when it comes to detecting fraud, more data is better. Now, because of big data technologies, because of machine learning, we can handle that kind of scale. The more signals we can get to help determine whether that's really you, David, or really you, Michael, hey, we'll take it.

Do cyber threats come from specific regions of the world?

Mike Braatz: We see a lot of fraud from Eastern Europe, from Brazil, from China. It just happens to be where there are ecosystems of people who figured out how to do some of the things they need to do to attack the systems. Really, truly, you're seeing the threats come from everywhere, but I would say the places I mentioned at the start are where we see a vast predominance of the fraud coming from.

I think there is a lot of discussion. We talked about the bad guys collaborating. Well, collaboration is one thing through dark networks and other things, but is there state-sponsored attacks going on as well? I think there's a lot of discussion about that and I think a lot of smart people who really study this believe that it is going on as a way to disrupt economies and disrupt systems around the world.

It is getting harder and harder to determine the actual location of where messages on the Internet are coming from. Yeah, that's why location is one thing. There are other things we can use to kind of piece together, well, it looks like they're coming from the same state or the same region, but are there other things we can use to determine that they're probably not?

Dr. David A. Bray: If I could pull a little bit further on that too because, at the end of the day, what you're talking about is identity online.

Mike Braatz: Yes.

Dr. David A. Bray: Having the opportunity to work with Vint Cerf, who helped with co-creating TCP/IP, he said, one, TCP/IP was always a draft spec and it was meant to be updated. One of the things they didn't include in that specification was an identity layer. Mike, I'd be interested. In some respects, when you get into determining is this really Michael, is this really me, is this really you trying to make that payment, you're getting into identity.

Is that something where you see maybe innovation in the future might be helping people take back some ownership of what their identity is online and making sure that it's truly them when they do financial transactions?

Mike Braatz: Yeah, absolutely. Digital identity is a big issue. It's actually much bigger than just the payment system. Within the payment system, there is a concept that we talk about that we refer to as a token. Instead of your actual card number being used to flow through the transaction and exposing that card number to all the places where it could get compromised, it's actually converted to a code, which we call a token, and that token can be very closely associated with your digital identity, which represents maybe more than just how you spend money.

There is a lot of discussion about how we map that token to that digital identity so that we really can verify if it's you. Listen, if we can really have great confidence in your digital identity and your payment token, we're pretty much going to leave you alone because we've determined you're a good guy. It's the bad guys we want to focus all of our energy on. There is a lot of innovation, a lot of investment going on both within and outside of the payments industry around that concept.

Michael Krigsman: This notion of identity is so inextricably bound to payments. Does that, in effect, mean that in addition to the mechanics of transferring payments back and forth, you are almost equally involved in the identity business. Is that a fair statement or not really?

Mike Braatz: The term we use in the payments business is authentication. Do we know who you are? Are you who you say you are—effectively? That's identity. The first step in really any payment transaction is authentication. There are lots of different ways to do that, some of them involving texting you a code. That's out of band authentication, but there are other things like biometrics, facial recognition, fingerprints on your iPhone. That kind of authentication becomes very closely associated with your identity because it's literally part of your physical being and who you are. Yeah, it's intimately linked.

Dr. David A. Bray: Another question for you, Mike, is, we've seen some parts of Scandinavia and northern Europe trying to move towards truly cashless societies.

Mike Braatz: Yeah.

Dr. David A. Bray: I'd be interested in your thoughts about the likelihood of that happening more globally and on what time horizon because there are some that say, if we move off of cash, in some respects cash is used for a lot of illegal activities or it's actually stolen from you because it is hard to track. Do you see cashless societies as something that's more likely in the future for other parts of the world?

Mike Braatz: The answer to that is yes. I think the trend is headed that way. It's probably a long, slow arc globally.

To me, one of the most interesting examples of a cashless society and quick movement is India. Within the last couple of years, the very strong government-led action to move to a cashless society. You're talking about a billion people who were heavily dependent on cash and, I think, by all intents and measures, it's been a big success.

I think it's been a big success for a few reasons. One was, the government really got behind it. Number two, the banks got behind it—maybe with a little help from the government. Number three, they made it easier on consumers and merchants to move to cashless.

One of the factors that were in play there was a very high percentage of Indians had a mobile phone. They made it the number payment method, mobile-centric. They have a new payment method that we call UPI in India, and they made it really easy to access, use, load funds onto your mobile phone. All of a sudden, every Indian with a mobile phone in their pocket, which is the vast majority of them, has access to their new, frictionless, modern, secure payment system.

We've seen the participation in that system grow gangbusters and it's only growing faster and expanding to more and more parts of the country. It's been a real success, so I think, if a country as complex and as large as India can do it, we're going to see it in other places as well.

Dr. David A. Bray: One of the side benefits that I know that's been seen in India and other places in the world—I was in Afghanistan for a while—people started receiving their payments directly by mobile phone.

Mike Braatz: Absolutely.

Dr. David A. Bray: Actually, in some case, they came back and said, "When did you get a salary increase?" and the answer was they had never gotten a salary increase. It's just when it was cash, 20% or 30% was being taken off the top before it ever got to them and they didn't actually know that they weren't getting their whole salaries. There's a huge benefit to reducing graph as well when you go to electronic, cashless payments.

Mike Braatz: Yeah, and that feeds one of the goals of this is raising participation out in the clear banking system. I think if people see those kinds of benefits, whereas before they may not have necessarily trusted the system, I think they say, "Hey, there is actually a real benefit for me here," so I think it's a win/win.

Michael Krigsman: Mike, you spoke earlier about the role of nation-states using the payment system to try to undermine our economy. We hear so much in the news right now about fake news and social media, fake social media counts. I'm wondering about the connections between manipulation using social media and payment fraud, and are there intersections that you can think of to share with us?

Mike Braatz: Certainly, the technologies, they can use to accomplish those things. At the end of the day, they're trying to kind of sow confusion and create friction, if you will. By using technologies that can do behavioral profiling and understand how people behave and how people react to certain stimulus, you might see that in the social media manipulation.

Very similar techniques can then be applied to duping the financial system and allowing the bad guys to commit fraud. I think there is a lot of parallels.

If you probably peeled the onion back one or two layers, underlying that is some very common technologies. We're talking about machine learning. We're talking about AI. We're talking about big data. All of those things kind of come into play I imagine they sit underneath both.

How do you fight state-sponsored actors who want to commit fraud?

Mike Braatz: It's hard. I think you've got to prioritize, and you've got to figure out. It's like anything. Anything where there are limited resources, you've got to kind of pick your priorities, place your bets and, so far, the technology to protect the payment system in the financial services industry has done a pretty good job.

Rates of fraud kind of per thousand transactions have come way down. Unfortunately, the level of attacks has gone way up. The bad guys are still taking their share.

The other thing I would say is, it's about taking a multilayered approach. When you're talking about fighting against almost unlimited resources who are using sophisticated techniques, you're going to have to have multiple layers of defense. Some of it protecting the underlying data. Some of it protecting the applications, and then some of it protecting where the consumers come into play and I think we just have to keep investing.

It's going to have to become more and more a part of our business model in the industry and I think it has.

Dr. David A. Bray: I guess the question from, what motivates you and what helps inspire you and your C suite team. Is it the fact that, actually, in some respects, you are the David going against the larger goliath? Having to be both innovative and scrappy, does that help motivate you? What do you find inspires you and your team?

Mike Braatz: Yeah, certainly. I think, when it comes to fraud prevention, which is a big part of our business, providing incredibly secure systems to our customers so that they can grow their businesses, that motivates us.

I think the other thing, if we do that right, if we do the secure part right, we enable commerce to happen. That's really what we're trying to do is facilitate commerce for our customers. Whether it's a bank or a merchant, we want their business to thrive and we know that security is a big part of our value proposition and I think that's very motivating for us.

Michael Krigsman: As we finish up, what advice do you have to organizations and also to consumers to stay safe? I figure you're the guy to ask.

Mike Braatz: Continue to invest in it. It's a multilayered approach. There is no one silver bullet technology or solution you can use to protect yourself. It's going to take a portfolio.

Get your consumers involved. This is advice to businesses and to consumers. Get involved, meaning, hey, if your bank or your merchant or your favorite e-commerce site gives you the ability to kind of set fraud limits and get notifications and get texts, do it. It's amazing how much more effective a system is when the consumer is partnered with their financial institution in preventing fraud. That's another one.

I think consumer education is a big part of it too. We're still living in days where consumers are writing down passwords and storing them in their wallets. The more education we can do to kind of prevent that kind of behavior, the better. When your bank offers you new technology, whether it's the chip on your card or something else, take advantage of it.

Dr. David A. Bray: Talking about the need to involve consumers and consumers to take the ownership to say, "If you have the opportunity through your bank, through your merchant site, or whatever, the reality is we all have to be a part of the solution. It can't just be solved by one individual, one group, one silver bullet. It's when the community takes ownership of this and says, "We want to have better, more trusted commerce as a result, that to me is the most inspiring thing and that's why I really applaud what you're doing, Mike, with your company.

Michael Krigsman: I guess that also raises the question, David. When you talk about the community taking ownership, what's the community?

Mike Braatz: Well, the reality is, that may be why you're seeing these challenges of what you talked about in terms of polarization, misinformation, social wedges is, we used to define our community as our physical neighbors. Now that you've overlaid the Internet on top of it, you can know more people online than you do in your immediate neighborhood. That's calling in questions as to what is your community?

We've seen this before when the car was invented. The nation, the United States, and other nations faced the challenge that they never had before, which is interstate crime could occur. You could actually, physically drive to a state that you didn't reside in, do the crime, and then drive back. We had to figure out ways to address that and part of that was finger-painting and the federal bureau of Investigation, and other solutions.

I think, in this case, the community, at the end of the day, is going to become a combination of both who you choose to associate with—both online and in-person, in terms of your activities and your financial transactions, but also, at the end of the day, I think we're going to – quite frankly, is discover the community is ultimately global. It's all of us on the planet together.

Michael Krigsman: I don't know, David. It sounds good, but I'm so skeptical of this because, when we have the community, that implies that we all take responsibility and, therefore, no one has the responsibility to do anything.

Dr. David A. Bray: Well, this is it. I would actually say it's the other way around. When you actually meet with an audience and say, "Who do you think is going to solve this? Is it the government's solution to solve it?" Is it the private sector solution to solve it? Is it micro solutions to solve it?

As Mike sort of indicated, they are all playing parts of it but I think what we're really facing now in the 21st Century is what I would call learned helplessness in which people feel like these issues are either too big or things like that. Definitely, in the example, you're not going to do what Mike and his company are doing in terms of all the processes.

But if you're given the opportunity to do a one-time password for a transaction, or you're given the opportunity to have a token that you use to actually authenticate your transactions with a little bit of friction, but it makes it better

 If you choose to make that very simple, probably no more than ten-second decision of your time, you will have better outcomes than if you choose to do a completely frictionless solution where you don't want to have any involvement with a one-time password or some sort of token and then you're surprised later when somebody has actually done something fraud in your name. It's not asking a lot of us but it is saying that you can be a part of this larger ecosystem in helping to move things forward.

Michael Krigsman: Well, you know, speaking as a consumer, I have people in various parts of the world that I employ and that I pay. Of course, I'm always scared about the money going out into the ether or giving some payment company, intermediary, access to my bank account. But on the other hand, it's also such a hassle. Every time I make certain types of payments, I get interrupted. Then sometimes the credit card company construes it. It's a separate issue, but it's kind of related. Construes it as a cash advance, which means I'm now paying cash advance interest rates as opposed to a payment for a service.

I haven't lost any. I haven't personally. I've lost my identity many times to data breaches, but I haven't actually been personally compromised my accounts. I guess the system is working well. Mike, it does remain a hassle, though.

Mike Braatz: Yeah, well, I think it does go back to the point I made about, hey, those companies that you're doing business with that make it a hassle that you find unacceptable, they have an opportunity to actually fix that and to use that as a differentiator and a reason why you would continue to do business. They've got to make that better, right? There are ways to have relatively frictionless experience for you, as the consumer, and still be highly secure. I think the companies who are figuring that out are the ones that are ultimately going to do very well and secede in their markets.

Dr. David A. Bray: Michael, one question I would ask you real quick is, you're walking in a dark alley in a place that you don't know and you feel somewhat unsafe. What would you rather have in your back pocket: $10,000 in U.S. cash, or electronic payment, app, or card? Which would you prefer to have?

Mike Braatz: Yeah, that's an easy one. Of course, I'd want a digital payment. [Laughter]

Mike Braatz: [Laughter] Yeah, so I think that gets to Michael's point, which is, yes there are opportunities to reduce friction and there may be some things in our household, but we are still, generally, moving forward in a progressive direction that is making the world – like you said – reducing fraud. The challenge is, of course, the bad guys are increasing their volume, but reducing the incidents of fraud overall.

Dr. David A. Bray: Yeah.

Michael Krigsman: Well, there's certainly no doubt about that. With that, we are out of time. I would like to thank our two guests today, Mike Braatz is with ACI Worldwide. David Bray is with People-Centered Internet. Gentlemen, thank you so much for joining us today.

Mike Braatz: Thanks, Michael. It was a pleasure.

Dr. David A. Bray: Thanks for having me, Michael.

Michael Krigsman: Everybody, you've been watching CXOTalk. Subscribe on YouTube and hit the little subscribe button our website and subscribe to our mailing list. We'll see you again next time. Thanks so much, everybody. Have a great day. Bye-bye.

This transcript has been edited for clarity.

Mike Braatz: First and foremost, we're a software company, so we provide technology to the payments industry, the people who want to pay, whether it's a consumer in a store looking to buy something or online or a business looking to pay another business with the sources of those funds which are most of the time in bank accounts but, with some of the new payment methods, those funds can sit in other places. We basically allow that money to move from where it needs to be to where it needs to go. We serve all of the participants in the payments business so, whether you're a merchant, whether you're a bank, whether you're a processor, or whether you're a utility which we would call them a biller looking to help consumers pay their bills online, we serve all of those participants in the payments ecosystem.

Dr. David A. Bray: In addition to different hats that I wear, I'm with what's called the People-Centered Internet Coalition. I serve as Executive Director. Vint Cerf one of the co-creators of the Internet, plus Mei Lin Fung are our co-founders, and we seek to do demonstration projects that are community-led and measurably improve people's lives using the Internet.

What are the data sources and data volumes in the payments industry?

As a first question, could you tell us a little bit about what are those sources and what are the data volumes we're talking about here when you're trying to help with the transactions and make sense of what's occurring?

Mike Braatz: Yeah, when we talk about the payments industry, first of all, it should be noted that there are really, at the simplest level, two types of payments, right? There's a cash payment and then there's everything else, which we consider to be digital payments. Whether you're using a credit card, whether you're using Apple Pay or some other means of payment, the vast majority of those payments are digital payments, and that's a growing percentage of payments around the world.

To put some scale to it, in this year, in 2019, globally—let's just use round numbers—1.8 trillion electronic payment transactions will occur around the world. To put some scale to that, you divide that by the roughly 7.5 billion folks on earth. That is, for every person on earth, about 250 transactions a year. It's not quite one a day, but we're getting close, so it's big and it's growing quickly.

Payments are how commerce happens, right? No matter whether you're a consumer looking to buy a good or service, whether you're a business looking to pay for supplies, or whether you're just trying to pay your friends for the dinner out the other night, that's payments. It's happening all the time, every day, and the volumes are massive, so there's a lot of innovation.

There's a lot of innovation around security as well, which is, I know, one of the topics we're going to get into. The threats to the payment infrastructure are growing and so is the innovation around protecting that infrastructure, those systems, and that movement of money.

Even the cloud; the cloud has become a big source of innovation where you have participants in the ecosystem, whether it's a bank or a merchant who, in the past, wanted to operate their own payment systems for a variety of reasons, are saying, "You know what? No, we can let some other trusted third party run that for us in the cloud so that we can focus on what it is we do." I would say there's innovation happening all over.

How does the real-time payments industry decide if a transaction is fraudulent?

Dr. David A. Bray: Can you give us a sense? When you talk about the challenges with security, fraud protection, or things such as that, just how fast do you have to be to make a go/no-go decision on a transaction and what are some of the approaches you apply to the data that you can talk about that help inform whether something is suspicious, needs to be held up, or warrant further examination?

Mike Braatz: Yeah, well, one of the things I like to always start out when we have this kind of conversation is, the bad guys can try a lot and they only have to be right once to be successful. The good guys have to be right every time. Of course, no matter how hard we try, that's impossible.

You talked about the speed of the decisions. One of the things that's become really important in the modern payment system is the ability to do real-time threat detection and prevention.

In our world, that means for a credit card payment, just take your typical credit card payment with a consumer standing at the grocery store. They insert their card. We've got about 100 milliseconds to make that decision. The vast majority of those decisions are truly go- or no-go within that 100-millisecond window.

There's a small percentage of those transactions, and maybe you as consumers have experienced this, that do get deferred to manual review. We put a bit of a closer microscope on those. That may cause some issues and cause some friction, which we try to avoid, but it's fast. If you think about, you've got 100 milliseconds to do it and we're talking about billions of transactions daily that are happening, it's a massively scaled problem.

What skills do you need to build real-time, data science-based payment systems?

Mike Braatz: The old way of doing fraud prevention was heavily reliant on static rules, right? If this happens, then say no. If that doesn't happen, then let it go. Blacklists and whitelists were common kinds of forms of rules.

Given the scale and the speed, we're much more reliant on advanced analytics, whether that's machine learning, whether that's AI. In order to keep up, for those of us in the payments business who are the good guys, we have had to invest heavily in data science, professionals joining our ranks and helping beef up our fraud prevention systems. There are computer science skills that are very good at building the scale and the security we need to protect those systems. I would say there is definitely a war for that kind of talent out in the industry and these folks can be very hard to come by.

Dr. David A. Bray: The people can work just about anywhere as long as they have the skills and the talent necessary to provide their lens, and so it's good to hear Mike commenting about data science and machine learning as being something they're trying to incorporate. I guess I would just say, are there different parts of the world where you're looking for your talent or do you have thoughts about how you can bring on people of all ages that, if they have the skills, can help with your efforts?

Mike Braatz: Yeah, I would say, if you have the skills and the desire, we're open to it. We're not necessarily looking for it in specific regions. We have technology professionals around the globe. We have offices in 40 countries.

I think, if you look at other participants in the payments ecosystem, not just us, I would say it's probably similar. They're just looking for good talent. There's a shortage of that talent. I love your idea of training up other communities to help build that talent base. I think it would be a welcome thing not only in the payments industry but probably just in the technology industry as a whole.

How does the payments industry classify threats?

Mike Braatz: Yeah, I think I would put it in three categories. I think the first is probably what most people traditionally think of as cyber threats and that's really either attacks on and thefts of data or disruptions of the system itself so that the system can't operate the way it's supposed to. Those are traditional cyber threats. The second category is theft of goods or money, just outright fraud and payments fraud, whether you're stealing money or stealing goods using somebody else's credentials.

Then the third area that's also really important is anti-money laundering. The bad guys trying to hide the movement of money because it's either illegal or it's supposed to be reported to regulatory authorities and they want to fly under the radar. Those are really the three big categories that I think most participants in our industry are looking out for.

Dr. David A. Bray: To get ahead of the curve, with money laundering or fraud, are you seeing different uses of different currencies, fiat currencies, and is there anything you're doing to watch possibly what might be happening in the future with cryptocurrency since they could be used for fraud or money laundering just as well as real-world Fiat currencies? Is that something that you're thinking about on the horizon?

Mike Braatz: Yeah, for sure, and I think we've seen a rise. You mentioned money laundering as cryptocurrency and moving money around. Certainly, if you go back 15 years, there was a big push for anti-money laundering regulation and prevention. I think, as an industry, we've got it kind of under control.

In the last few years, some of it because of the rise of some of these new currencies and some of the rise of the new technologies that are in the hands of the bad guys. We've seen a resurgence in AML or anti-money laundering. That's absolutely on the horizon.

I would say the other thing we're seeing in the fraud world is, for those of us in the United States, we're just now getting used to the chip technology in our cards, right? That has provided a new and good level of protection for the use of cards. It's pushed a lot of the fraud online where the card isn't physically present.

A bad guy with stolen information can go onto a website and make a purchase. That type of online fraud, whether it's traditional e-commerce sites or even in mobile payments, is really on the rise and is something that I think the whole industry is reacting to. There is a lot of state-of-the-art happening to go after that online fraud.

Michael Krigsman: What about state-of-the-art among the criminals? What is their level of sophistication in terms of using automated methods and data such as machine learning and various types of AI techniques?

Mike Braatz: I would say their level of sophistication is very high. We talk a lot about being nimble and agile in the technology industry. They are extremely nimble and agile.

The other thing they've got that we're somewhat limited by on the payment side and on the good guy side is, they collaborate. They work together and they specialize. You've got guys who are really good at breaking into systems. You've got guys who are really good at stealing the data.

Then you've got guys who are really good at making use of that data. All of them are using automation. All of them are using AI. They're trying to mimic the behavior of good consumers so that they are less detected. All of that could be done with technology.

Frankly, it's pretty impressive how well they've embraced it and capitalized on it. That just raises the bar for those of us trying to protect the system.

Dr. David A. Bray: Are there any examples that you can maybe reference where something looked like it was benign or something looked like it was something that was being caused possibly by humans and then, upon deeper investigation, you discovered that this was something that was either more automated in nature or was something much more sophisticated in terms of either the criminals and/or possible nation-states doing something that, at the surface, looked like it was just normal human behavior?

Mike Braatz: Yeah, let me give it a shot. I think one of the things we've seen in the consumer arena that requires a fair bit of sophistication and it also requires some really unsophisticated last-mile behavior, which is, I think, an interesting combination.

One of the things that a lot of merchants and retailers have been offering in the new digital world is, you can buy something online and pick it up in the store. What the bad guys have figured out is that there is a time window that they have to act that has made it very difficult for the protection systems to kind of figure this out.

Basically, what they do is they sit in the parking lot of a Best Buy. They go online with stolen credentials. They make the purchase and basically say, "I'm going to pick it up in the next 15 minutes."

They immediately walk into the store, walk out with a big-screen TV, and they're off before the system can really realize that that wasn't the authorized cardholder. The upfront piece of that to get the information, to know what their time window is, to know what they need to do to mimic the good behavior is highly sophisticated. Walking in the store in the next 30 seconds and walking out with it is unsophisticated, but that's how they make off with their goods.

What’s happening with cyberattacks in 2019 and 2020?

Mike Braatz: Given the data breaches that are well-publicized these days, we're seeing bad guys develop techniques where maybe they've stolen—let's just make up a number—five million records. They have developed technology that allows them to very quickly cycle through those five million records and figure out which ones haven't already had the passwords changed or the account holder or the cardholder doesn't even know that the information has been breached.

They know which websites are vulnerable. They can quickly go to those websites and cycle through those five million in a matter of minutes. Like I said, they only have to be right once. They don't have to be right five million times. They get what they're after.

That level of sophistication to be able to cycle through that volume of data, quickly move on to the next one, and avoid some of the bot detection techniques that you see on websites is highly sophisticated. They know what types of devices to use to do this. They know the IP addresses and how to shift IP addresses very quickly, so it's a combinatorial sophistication of different techniques and high volume data.

Dr. David A. Bray: Mike, this is quite fascinating, what you're sharing. It is sort of akin to an arms race. I guess my question would be, if you look to the next five years in the future, three to five years, and you see that, obviously, these actors that are doing criminal activity will accelerate their activity and their efforts, what gives you hope that you can share on the good guys side that we'll be able to keep up if not find other ways to make sure we stay one ahead of the curve? It seems like you're guarding a 500-mile goalpost and all I have to do is kick it in one place. What gives you hope?

Mike Braatz: Our industry is innovating pretty quickly as well. I think we have figured out that there is no silver bullet, so you need to take a multilayered approach. Banks, processors, merchants, even, and other players in the ecosystem have figured out, "Hey, this is an important cost of doing business. It's not something I'm trying to avoid anymore," and that's not the same as it was.

The other thing that gives me hope is, consumers and businesses have decided they do want to be bothered when something bad is detected on their account. It used to be, "Hey, that's your problem. You protect me. You deal with it."

Now, we're bringing consumers into the loop and saying, "Hey, allow me to set limits. Allow me to get notifications, whether it's a text or an email, when something fishy is going on," or, "Text me a code before purchases are authorized on my behalf." That slight level of friction, which increases the level of protection, is something that consumers are embracing, so I think that gives me hope.

Then I would say, frankly, the government. We talked about state-sponsored bad guys but, on the good side, the government has woken up to this problem and I think they can be a partner to industry to help solve this problem. The payments infrastructure, the financial services infrastructure, it's a national asset that needs to be protected much like you'd protect an energy grid or something else. I think there's an important partnership there.

Dr. David A. Bray: It is recognizing that, like you said, the financial infrastructure is a critical infrastructure and it's vital. The other thing that I also love that you said is it's about not introducing a lot of friction, but a subtle amount of friction that, in our quest to have things become frictionless, we may discover that it slid off the rails. If there's a little bit of friction that asks for a one-time code or a notification that you've hit a limit and, "Is this really you?"

I love that you said that, Mike, because that really emphasizes how people can take ownership of this and not assign it to solely being the problem for someone else to solve, that we can all be a part of it in a people-centered solution.

Mike Braatz: People who have had their accounts hacked or taken over know what a hassle it is to get back up and running, get a new card issued, whatever the situation may be. I think part of it is to kind of learn by experience but, hey, I think we're in a much better place than we were five or ten years ago.

Michael Krigsman: Mike, you are providing the infrastructure and a variety of different capabilities to financial institutions.

Mike Braatz: Mm-hmm.

Michael Krigsman: The consumer, then, is ultimately dependent on the financial institutions to implement those features.

Mike Braatz: Yes.

Michael Krigsman: How does that balance work? You may provide the infrastructure but if my bank hasn't built the software or take advantage of it, I'm out of luck.

Mike Braatz: Yeah. No, that's true. That's true. I would say banks and merchants alike have responded. I think they view security as an opportunity to build a better relationship with their customers and potentially an opportunity to differentiate themselves from their competition in how good a job they do with it.

You're absolutely right. It is incumbent upon your bank, your favorite merchant, or your favorite e-commerce site to implement it. But I think we have moved past the days where they resisted that and they've embraced it. They're now trying to build out and fill little gaps.

I also think that they are viewing, especially in the merchant world and the retail consumer spending world, they have seen consumers want to have that trust, want to have that security that when I go to that website, my information is going to be protected. They're using that as an opportunity to build a closer relationship and have a higher level of consumer engagement using security.

How does fraud change in real-time payments rather than credit cards?

Mike Braatz: Yeah, it is a great question. Yeah, real-time payments are a big deal. Right now, today, they're a bigger deal in other countries than they are in the U.S., but it truly is coming to the U.S. I think the Fed's announcement that they're going to stand up their own network for real-time payments is going to push that along.

The thing about real-time payments is, just as the name implies, the money moves immediately. It settles and clears in real-time. Once it's gone, it's gone, unlike other payment methods, and that does include credit and debit cards and others. There is somewhat of a delay that allows us to take action and there is a chargeback process if something is determined to be fraud.

With real-time payments, it's gone and it's much more difficult, if not impossible, to get it back. That raises the bar on our ability to detect fraud in that 100-millisecond window because that's about all we're going to have.

The other thing is, these are truly different payment rails. In other words, it's not riding the same network that your credit card transactions are, and so these new networks have different configurations, different capabilities. To make fraud prevention work within that environment, we're going to have to use different techniques. It is going to create a new arm of the fraud prevention world as these new real-time payments come on.

Luckily, we do have some experience in other markets like the U.K., India, and Indonesia where real-time payments have really taken hold. We're getting our experience that we can then apply to countries in Europe and the U.S. when that comes on.

Dr. David A. Bray: Going further in that direction, Mike, do you find that, in those cases where you're doing real-time payments in other countries, you're having to collect additional information in terms of, possibly, is the person willing to share their location for that time period, that their phone is nearby, or does a one-time code? Are there other factors that you're having to assemble precisely because you have that smaller window and it's that critical go/no-go in a much more tight timeframe? Are you finding there are other factors of data you need to have?

Mike Braatz: Yeah, and the good news is that the new, real-time payment schemes have explicitly factored that in. Without getting too technical, it's a new data standard that allows for much more data to come along with the transaction.

That additional data, those additional data fields, if you will, allow us to do a much better job determining whether this is legitimate or illegitimate activity. That's helpful. They were smart when they designed those data standards that allow us to do that and so I would say the good news is that they built that into the system and now we can take advantage of it.

As far as we're concerned, when it comes to detecting fraud, more data is better. Now, because of big data technologies, because of machine learning, we can handle that kind of scale. The more signals we can get to help determine whether that's really you, David, or really you, Michael, hey, we'll take it.

Do cyber threats come from specific regions of the world?

Mike Braatz: We see a lot of fraud from Eastern Europe, from Brazil, from China. It just happens to be where there are ecosystems of people who figured out how to do some of the things they need to do to attack the systems. Really, truly, you're seeing the threats come from everywhere, but I would say the places I mentioned at the start are where we see a vast predominance of the fraud coming from.

I think there is a lot of discussion. We talked about the bad guys collaborating. Well, collaboration is one thing through dark networks and other things, but is there state-sponsored attacks going on as well? I think there's a lot of discussion about that and I think a lot of smart people who really study this believe that it is going on as a way to disrupt economies and disrupt systems around the world.

It is getting harder and harder to determine the actual location of where messages on the Internet are coming from. Yeah, that's why location is one thing. There are other things we can use to kind of piece together, well, it looks like they're coming from the same state or the same region, but are there other things we can use to determine that they're probably not?

Dr. David A. Bray: If I could pull a little bit further on that too because, at the end of the day, what you're talking about is identity online.

Mike Braatz: Yes.

Dr. David A. Bray: Having the opportunity to work with Vint Cerf, who helped with co-creating TCP/IP, he said, one, TCP/IP was always a draft spec and it was meant to be updated. One of the things they didn't include in that specification was an identity layer. Mike, I'd be interested. In some respects, when you get into determining is this really Michael, is this really me, is this really you trying to make that payment, you're getting into identity.

Is that something where you see maybe innovation in the future might be helping people take back some ownership of what their identity is online and making sure that it's truly them when they do financial transactions?

Mike Braatz: Yeah, absolutely. Digital identity is a big issue. It's actually much bigger than just the payment system. Within the payment system, there is a concept that we talk about that we refer to as a token. Instead of your actual card number being used to flow through the transaction and exposing that card number to all the places where it could get compromised, it's actually converted to a code, which we call a token, and that token can be very closely associated with your digital identity, which represents maybe more than just how you spend money.

There is a lot of discussion about how we map that token to that digital identity so that we really can verify if it's you. Listen, if we can really have great confidence in your digital identity and your payment token, we're pretty much going to leave you alone because we've determined you're a good guy. It's the bad guys we want to focus all of our energy on. There is a lot of innovation, a lot of investment going on both within and outside of the payments industry around that concept.

Michael Krigsman: This notion of identity is so inextricably bound to payments. Does that, in effect, mean that in addition to the mechanics of transferring payments back and forth, you are almost equally involved in the identity business. Is that a fair statement or not really?

Mike Braatz: The term we use in the payments business is authentication. Do we know who you are? Are you who you say you are—effectively? That's identity. The first step in really any payment transaction is authentication. There are lots of different ways to do that, some of them involving texting you a code. That's out of band authentication, but there are other things like biometrics, facial recognition, fingerprints on your iPhone. That kind of authentication becomes very closely associated with your identity because it's literally part of your physical being and who you are. Yeah, it's intimately linked.

Dr. David A. Bray: Another question for you, Mike, is, we've seen some parts of Scandinavia and northern Europe trying to move towards truly cashless societies.

Mike Braatz: Yeah.

Dr. David A. Bray: I'd be interested in your thoughts about the likelihood of that happening more globally and on what time horizon because there are some that say, if we move off of cash, in some respects cash is used for a lot of illegal activities or it's actually stolen from you because it is hard to track. Do you see cashless societies as something that's more likely in the future for other parts of the world?

Mike Braatz: The answer to that is yes. I think the trend is headed that way. It's probably a long, slow arc globally.

To me, one of the most interesting examples of a cashless society and quick movement is India. Within the last couple of years, the very strong government-led action to move to a cashless society. You're talking about a billion people who were heavily dependent on cash and, I think, by all intents and measures, it's been a big success.

I think it's been a big success for a few reasons. One was, the government really got behind it. Number two, the banks got behind it—maybe with a little help from the government. Number three, they made it easier on consumers and merchants to move to cashless.

One of the factors that were in play there was a very high percentage of Indians had a mobile phone. They made it the number payment method, mobile-centric. They have a new payment method that we call UPI in India, and they made it really easy to access, use, load funds onto your mobile phone. All of a sudden, every Indian with a mobile phone in their pocket, which is the vast majority of them, has access to their new, frictionless, modern, secure payment system.

We've seen the participation in that system grow gangbusters and it's only growing faster and expanding to more and more parts of the country. It's been a real success, so I think, if a country as complex and as large as India can do it, we're going to see it in other places as well.

Dr. David A. Bray: One of the side benefits that I know that's been seen in India and other places in the world—I was in Afghanistan for a while—people started receiving their payments directly by mobile phone.

Mike Braatz: Absolutely.

Dr. David A. Bray: Actually, in some case, they came back and said, "When did you get a salary increase?" and the answer was they had never gotten a salary increase. It's just when it was cash, 20% or 30% was being taken off the top before it ever got to them and they didn't actually know that they weren't getting their whole salaries. There's a huge benefit to reducing graph as well when you go to electronic, cashless payments.

Mike Braatz: Yeah, and that feeds one of the goals of this is raising participation out in the clear banking system. I think if people see those kinds of benefits, whereas before they may not have necessarily trusted the system, I think they say, "Hey, there is actually a real benefit for me here," so I think it's a win/win.

Michael Krigsman: Mike, you spoke earlier about the role of nation-states using the payment system to try to undermine our economy. We hear so much in the news right now about fake news and social media, fake social media counts. I'm wondering about the connections between manipulation using social media and payment fraud, and are there intersections that you can think of to share with us?

Mike Braatz: Certainly, the technologies, they can use to accomplish those things. At the end of the day, they're trying to kind of sow confusion and create friction, if you will. By using technologies that can do behavioral profiling and understand how people behave and how people react to certain stimulus, you might see that in the social media manipulation.

Very similar techniques can then be applied to duping the financial system and allowing the bad guys to commit fraud. I think there is a lot of parallels.

If you probably peeled the onion back one or two layers, underlying that is some very common technologies. We're talking about machine learning. We're talking about AI. We're talking about big data. All of those things kind of come into play I imagine they sit underneath both.

How do you fight state-sponsored actors who want to commit fraud?

Mike Braatz: It's hard. I think you've got to prioritize, and you've got to figure out. It's like anything. Anything where there are limited resources, you've got to kind of pick your priorities, place your bets and, so far, the technology to protect the payment system in the financial services industry has done a pretty good job.

Rates of fraud kind of per thousand transactions have come way down. Unfortunately, the level of attacks has gone way up. The bad guys are still taking their share.

The other thing I would say is, it's about taking a multilayered approach. When you're talking about fighting against almost unlimited resources who are using sophisticated techniques, you're going to have to have multiple layers of defense. Some of it protecting the underlying data. Some of it protecting the applications, and then some of it protecting where the consumers come into play and I think we just have to keep investing.

It's going to have to become more and more a part of our business model in the industry and I think it has.

Dr. David A. Bray: I guess the question from, what motivates you and what helps inspire you and your C suite team. Is it the fact that, actually, in some respects, you are the David going against the larger goliath? Having to be both innovative and scrappy, does that help motivate you? What do you find inspires you and your team?

Mike Braatz: Yeah, certainly. I think, when it comes to fraud prevention, which is a big part of our business, providing incredibly secure systems to our customers so that they can grow their businesses, that motivates us.

I think the other thing, if we do that right, if we do the secure part right, we enable commerce to happen. That's really what we're trying to do is facilitate commerce for our customers. Whether it's a bank or a merchant, we want their business to thrive and we know that security is a big part of our value proposition and I think that's very motivating for us.

Michael Krigsman: As we finish up, what advice do you have to organizations and also to consumers to stay safe? I figure you're the guy to ask.

Mike Braatz: Continue to invest in it. It's a multilayered approach. There is no one silver bullet technology or solution you can use to protect yourself. It's going to take a portfolio.

Get your consumers involved. This is advice to businesses and to consumers. Get involved, meaning, hey, if your bank or your merchant or your favorite e-commerce site gives you the ability to kind of set fraud limits and get notifications and get texts, do it. It's amazing how much more effective a system is when the consumer is partnered with their financial institution in preventing fraud. That's another one.

I think consumer education is a big part of it too. We're still living in days where consumers are writing down passwords and storing them in their wallets. The more education we can do to kind of prevent that kind of behavior, the better. When your bank offers you new technology, whether it's the chip on your card or something else, take advantage of it.

Dr. David A. Bray: Talking about the need to involve consumers and consumers to take the ownership to say, "If you have the opportunity through your bank, through your merchant site, or whatever, the reality is we all have to be a part of the solution. It can't just be solved by one individual, one group, one silver bullet. It's when the community takes ownership of this and says, "We want to have better, more trusted commerce as a result, that to me is the most inspiring thing and that's why I really applaud what you're doing, Mike, with your company.

Michael Krigsman: I guess that also raises the question, David. When you talk about the community taking ownership, what's the community?

Mike Braatz: Well, the reality is, that may be why you're seeing these challenges of what you talked about in terms of polarization, misinformation, social wedges is, we used to define our community as our physical neighbors. Now that you've overlaid the Internet on top of it, you can know more people online than you do in your immediate neighborhood. That's calling in questions as to what is your community?

We've seen this before when the car was invented. The nation, the United States, and other nations faced the challenge that they never had before, which is interstate crime could occur. You could actually, physically drive to a state that you didn't reside in, do the crime, and then drive back. We had to figure out ways to address that and part of that was finger-painting and the federal bureau of Investigation, and other solutions.

I think, in this case, the community, at the end of the day, is going to become a combination of both who you choose to associate with—both online and in-person, in terms of your activities and your financial transactions, but also, at the end of the day, I think we're going to – quite frankly, is discover the community is ultimately global. It's all of us on the planet together.

Michael Krigsman: I don't know, David. It sounds good, but I'm so skeptical of this because, when we have the community, that implies that we all take responsibility and, therefore, no one has the responsibility to do anything.

Dr. David A. Bray: Well, this is it. I would actually say it's the other way around. When you actually meet with an audience and say, "Who do you think is going to solve this? Is it the government's solution to solve it?" Is it the private sector solution to solve it? Is it micro solutions to solve it?

As Mike sort of indicated, they are all playing parts of it but I think what we're really facing now in the 21st Century is what I would call learned helplessness in which people feel like these issues are either too big or things like that. Definitely, in the example, you're not going to do what Mike and his company are doing in terms of all the processes.

But if you're given the opportunity to do a one-time password for a transaction, or you're given the opportunity to have a token that you use to actually authenticate your transactions with a little bit of friction, but it makes it better

 If you choose to make that very simple, probably no more than ten-second decision of your time, you will have better outcomes than if you choose to do a completely frictionless solution where you don't want to have any involvement with a one-time password or some sort of token and then you're surprised later when somebody has actually done something fraud in your name. It's not asking a lot of us but it is saying that you can be a part of this larger ecosystem in helping to move things forward.

Michael Krigsman: Well, you know, speaking as a consumer, I have people in various parts of the world that I employ and that I pay. Of course, I'm always scared about the money going out into the ether or giving some payment company, intermediary, access to my bank account. But on the other hand, it's also such a hassle. Every time I make certain types of payments, I get interrupted. Then sometimes the credit card company construes it. It's a separate issue, but it's kind of related. Construes it as a cash advance, which means I'm now paying cash advance interest rates as opposed to a payment for a service.

I haven't lost any. I haven't personally. I've lost my identity many times to data breaches, but I haven't actually been personally compromised my accounts. I guess the system is working well. Mike, it does remain a hassle, though.

Mike Braatz: Yeah, well, I think it does go back to the point I made about, hey, those companies that you're doing business with that make it a hassle that you find unacceptable, they have an opportunity to actually fix that and to use that as a differentiator and a reason why you would continue to do business. They've got to make that better, right? There are ways to have relatively frictionless experience for you, as the consumer, and still be highly secure. I think the companies who are figuring that out are the ones that are ultimately going to do very well and secede in their markets.

Dr. David A. Bray: Michael, one question I would ask you real quick is, you're walking in a dark alley in a place that you don't know and you feel somewhat unsafe. What would you rather have in your back pocket: $10,000 in U.S. cash, or electronic payment, app, or card? Which would you prefer to have?

Mike Braatz: Yeah, that's an easy one. Of course, I'd want a digital payment. [Laughter]

Mike Braatz: [Laughter] Yeah, so I think that gets to Michael's point, which is, yes there are opportunities to reduce friction and there may be some things in our household, but we are still, generally, moving forward in a progressive direction that is making the world – like you said – reducing fraud. The challenge is, of course, the bad guys are increasing their volume, but reducing the incidents of fraud overall.

Dr. David A. Bray: Yeah.

Michael Krigsman: Well, there's certainly no doubt about that. With that, we are out of time. I would like to thank our two guests today, Mike Braatz is with ACI Worldwide. David Bray is with People-Centered Internet. Gentlemen, thank you so much for joining us today.

Mike Braatz: Thanks, Michael. It was a pleasure.

Dr. David A. Bray: Thanks for having me, Michael.

Michael Krigsman: Everybody, you've been watching CXOTalk. Subscribe on YouTube and hit the little subscribe button our website and subscribe to our mailing list. We'll see you again next time. Thanks so much, everybody. Have a great day. Bye-bye.